date:20201030

Re: [PacketFence-users] MSCHAP and Local Auth

2020-10-30 Thread Durand fabrice via PacketFence-users


Yes it looks that you made a typo in raddb/policy.d/packetfence


Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/sites-enabled/packetfence[190]: Failed to parse 
"packetfence-mschap-authenticate" entry.


Le 20-10-30 à 21 h 00, Enrique Gross a écrit :

Thanks Fabrice

I probably messed up something, and should start over with my testing 
setup, this isjournalctl when starting radiusd, i have been checking 
config files regarding sql modules, but with not luck.


Thanks, and good weekend

Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql_mysql: Starting connect to MySQL server
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql): Reserved connection (0)
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql): Released connection (0)
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pfguest): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pfsponsor): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pfsms): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (pflocal): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_reject): groupmemb_query is empty.  Please delete it from 
the configuration
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_reject): authorize_check_query is empty.  Please delete 
it from the configuration
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_reject): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_degraded): groupmemb_query is empty.  Please delete it 
from the configuration
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_degraded): Ignoring read_groups as group_membership_query 
is not configured
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_sql (sql_degraded): Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (chrooted_mschap): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (chrooted_mschap_machine): authenticating by calling 
'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (mschap_machine): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
rlm_mschap (mschap_local): using internal authentication
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[15]: "sql" modules aren't 
allowed in 'authenticate' sections -- they have no such method.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[15]: Failed to parse 
"pflocal" entry.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[145]: Failed to parse 
"packetfence-local-auth" entry.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[144]: Failed to parse "else" 
subsection.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/policy.d/packetfence[140]: Failed to parse "else" 
subsection.
Oct 31 00:53:38 pf.jcc.com.ar  radiusd[17061]: 
/usr/local/pf/raddb/sites-enabled/packetfence[190]: Failed to parse 
"packetfence-mschap-authenticate" entry.
Oct 31 00:53:38 pf.jcc.com.ar  systemd[1]: 
packetfence-radiusd-auth.service: control process exited, code=exited 
status=1


El vie., 30 oct. 2020 a las 19:59, Durand fabrice (>) escribió:


Hello Enrique,

i did the same on my side and i am able to restart radiusd.

Take a look at journalctl to see why it fail to start.

Regards

Fabrice


Le 20-10-30 à 14 h 44, Enrique Gross a écrit :
> Hi all!
>
> Thanks for your help Fabrice
>
> When changing function to packetfence-local-auth, radius-auth
fails to
> start, i am not getting so much info of radius.log
>
> Oct 30 18:39:09 pf auth[7031]: Signalled to terminate
> Oct 30 18:39:09 pf auth[7031]: Exiting normally
> Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching.
Reloading. Done.
> Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching.
Reloading. Done.
>
> And packetfence.log
>
> Oct 30

Re: [PacketFence-users] MSCHAP and Local Auth

2020-10-30 Thread Enrique Gross via PacketFence-users

Thanks Fabrice

I probably messed up something, and should start over with my testing
setup, this isjournalctl when starting radiusd, i have been checking config
files regarding sql modules, but with not luck.

Thanks, and good weekend

Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql_mysql: Starting
connect to MySQL server
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql): Reserved
connection (0)
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql): Released
connection (0)
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (pfguest): Attempting
to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (pfsponsor):
Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (pfsms): Attempting
to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (pflocal): Attempting
to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql_reject):
groupmemb_query is empty.  Please delete it from the configuration
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql_reject):
authorize_check_query is empty.  Please delete it from the configuration
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql_reject):
Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql_degraded):
groupmemb_query is empty.  Please delete it from the configuration
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql_degraded):
Ignoring read_groups as group_membership_query is not configured
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_sql (sql_degraded):
Attempting to connect to database "pf"
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_mschap (mschap):
authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_mschap (chrooted_mschap):
authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_mschap
(chrooted_mschap_machine): authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_mschap (mschap_machine):
authenticating by calling 'ntlm_auth'
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]: rlm_mschap (mschap_local):
using internal authentication
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]:
/usr/local/pf/raddb/policy.d/packetfence[15]: "sql" modules aren't allowed
in 'authenticate' sections -- they have no such method.
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]:
/usr/local/pf/raddb/policy.d/packetfence[15]: Failed to parse "pflocal"
entry.
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]:
/usr/local/pf/raddb/policy.d/packetfence[145]: Failed to parse
"packetfence-local-auth" entry.
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]:
/usr/local/pf/raddb/policy.d/packetfence[144]: Failed to parse "else"
subsection.
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]:
/usr/local/pf/raddb/policy.d/packetfence[140]: Failed to parse "else"
subsection.
Oct 31 00:53:38 pf.jcc.com.ar radiusd[17061]:
/usr/local/pf/raddb/sites-enabled/packetfence[190]: Failed to parse
"packetfence-mschap-authenticate" entry.
Oct 31 00:53:38 pf.jcc.com.ar systemd[1]: packetfence-radiusd-auth.service:
control process exited, code=exited status=1

El vie., 30 oct. 2020 a las 19:59, Durand fabrice ()
escribió:

> Hello Enrique,
>
> i did the same on my side and i am able to restart radiusd.
>
> Take a look at journalctl to see why it fail to start.
>
> Regards
>
> Fabrice
>
>
> Le 20-10-30 à 14 h 44, Enrique Gross a écrit :
> > Hi all!
> >
> > Thanks for your help Fabrice
> >
> > When changing function to packetfence-local-auth, radius-auth fails to
> > start, i am not getting so much info of radius.log
> >
> > Oct 30 18:39:09 pf auth[7031]: Signalled to terminate
> > Oct 30 18:39:09 pf auth[7031]: Exiting normally
> > Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading.
> Done.
> > Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading.
> Done.
> >
> > And packetfence.log
> >
> > Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: Stopping
> > radiusd-auth with pid 7031 (pf::services::manager::stopService)
> > Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: child exited with
> value 0
> >   (pf::services::manager::stopService)
> > Oct 30 18:39:14 pf packetfence: pfperl-api(2394) INFO: Daemon
> > radiusd-auth took 2.123 seconds to start.
> > (pf::services::manager::launchService)
> >
> > Thanks!
> >
> >
> > El jue., 29 oct. 2020 a las 21:57, Durand fabrice
> > () escribió:
> >> Hello Enrique,
> >>
> >> sorry for the late reply.
> >>
> >> So ppp mschap with local pf account is not really implemented.
> >>
> >> What you can try is to edit /usr/local/pf/raddb/policy.d/packetfence
> and find the following function:
> >>
> >> packetfence-mschap-authenticate {
> >>  if(PacketFence-Domain) {
> >>if ( "%{User-Name}" =~ /^host\/.*/) {
> >>  chrooted_mschap_machine
> >>}
> >>else {
> >>  chrooted_mschap
> >>}
>

Re: [PacketFence-users] MSCHAP and Local Auth

2020-10-30 Thread Durand fabrice via PacketFence-users


Hello Enrique,

i did the same on my side and i am able to restart radiusd.

Take a look at journalctl to see why it fail to start.

Regards

Fabrice


Le 20-10-30 à 14 h 44, Enrique Gross a écrit :

Hi all!

Thanks for your help Fabrice

When changing function to packetfence-local-auth, radius-auth fails to
start, i am not getting so much info of radius.log

Oct 30 18:39:09 pf auth[7031]: Signalled to terminate
Oct 30 18:39:09 pf auth[7031]: Exiting normally
Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading. Done.
Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading. Done.

And packetfence.log

Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: Stopping
radiusd-auth with pid 7031 (pf::services::manager::stopService)
Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: child exited with value 0
  (pf::services::manager::stopService)
Oct 30 18:39:14 pf packetfence: pfperl-api(2394) INFO: Daemon
radiusd-auth took 2.123 seconds to start.
(pf::services::manager::launchService)

Thanks!


El jue., 29 oct. 2020 a las 21:57, Durand fabrice
() escribió:

Hello Enrique,

sorry for the late reply.

So ppp mschap with local pf account is not really implemented.

What you can try is to edit /usr/local/pf/raddb/policy.d/packetfence and find 
the following function:

packetfence-mschap-authenticate {
 if(PacketFence-Domain) {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 chrooted_mschap_machine
   }
   else {
 chrooted_mschap
   }
 }
 else {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 mschap_machine
   }
   else {
 mschap
   }
 }
}


and replace it with:

packetfence-mschap-authenticate {
 if(PacketFence-Domain) {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 chrooted_mschap_machine
   }
   else {
 chrooted_mschap
   }
 }
 else {
   if ( "%{User-Name}" =~ /^host\/.*/) {
 mschap_machine
   }
   else {
 packetfence-local-auth
   }
 }
}

Then restart radius and retry.

Let me know if it works.

Regards

Fabrice


Le 20-10-26 à 12 h 15, Enrique Gross a écrit :

Thanks Fabrice

raddebug output:

(727) Mon Oct 26 15:54:22 2020: Debug: Received Access-Request Id 132 from 
X.X.X.X:55645 to X.X.X.X:1812 length 191
(727) Mon Oct 26 15:54:22 2020: Debug:   Service-Type = Framed-User
(727) Mon Oct 26 15:54:22 2020: Debug:   Framed-Protocol = PPP
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port = 39
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port-Type = Virtual
(727) Mon Oct 26 15:54:22 2020: Debug:   User-Name = "coyo"
(727) Mon Oct 26 15:54:22 2020: Debug:   Calling-Station-Id = "X.X.X.X"
(727) Mon Oct 26 15:54:22 2020: Debug:   Called-Station-Id = "X.X.X.X"
(727) Mon Oct 26 15:54:22 2020: Debug:   Acct-Session-Id = "81d00cdf"
(727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP-Challenge = 
0xebf6d832753d4fdf8383548a74da2637
(727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP2-Response = 
0x0100abb873a94cda9a306246c4fef05e7a90b44e09097c106ee6479636c7545e3fdd9b27a86cdbfa77a5
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Identifier = "MK-IBERA2"
(727) Mon Oct 26 15:54:22 2020: Debug:   NAS-IP-Address = X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug: # Executing section authorize from file 
/usr/local/pf/raddb/sites-enabled/packetfence
(727) Mon Oct 26 15:54:22 2020: Debug:   authorize {
(727) Mon Oct 26 15:54:22 2020: Debug: policy packetfence-nas-ip-address {
(727) Mon Oct 26 15:54:22 2020: Debug:   if (!NAS-IP-Address || NAS-IP-Address == 
"0.0.0.0"){
(727) Mon Oct 26 15:54:22 2020: Debug:   if (!NAS-IP-Address || NAS-IP-Address == 
"0.0.0.0") -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug: } # policy 
packetfence-nas-ip-address = notfound
(727) Mon Oct 26 15:54:22 2020: Debug: update {
(727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %{Packet-Src-IP-Address}
(727) Mon Oct 26 15:54:22 2020: Debug:  --> X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %{Packet-Dst-IP-Address}
(727) Mon Oct 26 15:54:22 2020: Debug:  --> X.X.X.X
(727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %l
(727) Mon Oct 26 15:54:22 2020: Debug:  --> 1603738462
(727) Mon Oct 26 15:54:22 2020: Debug: } # update = noop
(727) Mon Oct 26 15:54:22 2020: Debug: policy 
packetfence-set-realm-if-machine {
(727) Mon Oct 26 15:54:22 2020: Debug:   if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i) {
(727) Mon Oct 26 15:54:22 2020: Debug:   if (User-Name =~ 
/host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug: } # policy 
packetfence-set-realm-if-machine = noop
(727) Mon Oct 26 15:54:22 2020: Debug: policy 
packetfence-balanced-key-policy {
(727) Mon Oct 26 15:54:22 2020: Debug:   if ( && 
( =~ /^(.*)(.)$/i)) {
(727) Mon Oct 26 15:54:22 2020: Debug:   if ( && 
( =~ /^(.*)(.)$/i))  -> FALSE
(727) Mon Oct 26 15:54:22 2020: Debug:   else {
(727)

Re: [PacketFence-users] PacketFence certificate issues

2020-10-30 Thread ypefti--- via PacketFence-users

And a little follow up on this question.

Same attempt was made from Apple iPad, I had to manually accept and trust
the certificate but then the page came up:

Not implemented, GET to /guest/s/q4b0wgkk/ not supported.

 

Eugene

 

 

From: ype...@gmail.com  
Sent: Friday, October 30, 2020 12:42 PM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence certificate issues

 

Guys,

Sorry for flooding you with questions regarding public WiFi via captive
portal.

I'm making baby steps going ahead and now ran into one more problem.

The endpoint (Windows 10) associates to a guest SSID and the web browser
opens up a page with a URL pointing to PacketFence (172.16.0.120)

It is reachable but the message on the page says: 

"Connect to Wi-Fi" with a "Connect" button.

All my attempts to click it doesn't do any result. But my capture of the
conversation between the endpoint and Packetfence is attached.

The endpoint (10.0.254.4) complains about the certificate (Fatal error) and
sends RST and closes the connection

Am I missing something ?

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] PacketFence certificate issues

2020-10-30 Thread ypefti--- via PacketFence-users

Guys,

Sorry for flooding you with questions regarding public WiFi via captive
portal.

I'm making baby steps going ahead and now ran into one more problem.

The endpoint (Windows 10) associates to a guest SSID and the web browser
opens up a page with a URL pointing to PacketFence (172.16.0.120)

It is reachable but the message on the page says: 

"Connect to Wi-Fi" with a "Connect" button.

All my attempts to click it doesn't do any result. But my capture of the
conversation between the endpoint and Packetfence is attached.

The endpoint (10.0.254.4) complains about the certificate (Fatal error) and
sends RST and closes the connection

Am I missing something ?

 

Eugene



fw.pcap
Description: Binary data
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread Ludovic Zammit via PacketFence-users

Hello,

I will break down quickly the PacketFence involvement in both most popular 
authentication.

WiFi:

RADIUS EAP PEAP MSCHAPv2:

- Device submitting EAP Identity
- AP receiving that info transmitting it to the controller
- Controller sends the radius authentication to PF
- PF receives it and process he RADIUS authentication sending a NTLM request to 
the AD
- AD says ok
- RADIUS authentication successful
- PacketFence process now the Authorization, grabs the username from the 
previous authentication and now it checks for sources (LDAP) connection profile 
to do a match on a source and return a ROLE and an ACCESS DURATION
- PacketFence checks where you connect from, grab the VLAN id that matches the 
role you just got
- PacketFence sends the RADIUS Access Accept packet with the Authorization 
inside
- Device asks for DHCP in that retuned VLAN

RADIUS Mac-authentication:

- Device connects on the SSID
- AP forward the RADIUS authentication to PF
- PF checks your status, if unreg = registration VLAN for that switch IP or 
status reg = VLAN for that role.
- If you are not register, you get the registration VLAN
- Device asks for IP in the registration network, do a HTTP request and get 
redirected on the captive portal
- PacketFence checks for Filters on the connection profiles in order to display 
the correct portal.You submit you identity, as soon you submit a valid identity 
on the portal, PacketFence sends a disconnect request to the controller for you 
to get your new access
- Device reconnects automatically, thus triggering a new RADIUS request
- PF: status = reg = VLAN prod
- Device get an IP address in the prod/ guest VLAN.

On a connection profile, you can also match on a switch group/ switch and 
combine all the filter.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 30, 2020, at 2:31 PM,   wrote:
> 
> Actually it was your hint about device registration that clicked and made me 
> check my connection profile. 
> Still, it ALWAYS helps to ask questions and read answers and advices very 
> carefully 
>  
> Ludovic, please guide me through the connection profile creation for public 
> WiFi with captive portal for guests.
> Just high level and mostly hints, like what modules are involved.
> I did everything as advised here on Unifi side
>  
> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2
>  
> 
>  
> But there are gaps in understanding of what to do on PacketFence side
> I created/cloned the external authentication source for SMS based 
> registration and included only Canadian cellular operators
> I’m reusing the same switch group that includes Unifi APs, under “Role by 
> VLAN ID” I put a VLAN ID 20 to guest, but I suspect this is wrong
>  
> As far as I understand it, I need to create a condition for PacketFence to 
> help it differentiate if the authentication comes via WebAuth and not 
> Wireless-802.11-EAP. Is this where the connection profile comes into place ? 
>  
> Eugene
>  
>  
> From: Ludovic Zammit  
> Sent: Friday, October 30, 2020 11:11 AM
> To: ype...@gmail.com
> Cc: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
>  
> The logs don’t lie ;-)
>  
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
>  
> 
> 
> 
> 
>> On Oct 30, 2020, at 2:00 PM, mailto:ype...@gmail.com>> 
>> mailto:ype...@gmail.com>> wrote:
>>  
>> That’s what I missed, namely the connection profile for devices registration 
>> wasn’t enabled.
>> Thank you, Ludovic!
>>  
>> From: Ludovic Zammit mailto:lzam...@inverse.ca>> 
>> Sent: Friday, October 30, 2020 10:24 AM
>> To: ype...@gmail.com 
>> Cc: packetfence-users@lists.sourceforge.net 
>> 
>> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
>>  
>> If you node has: status = registered and a role, PacketFence would return 
>> the VLAN for the role from the switch (inherited configuration from switch 
>> groups or not).
>>  
>> Do an authentication and send the logs.packetfence.log.
>>  
>> Thanks,
>> 
>> Ludovic Zammit
>> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) :: 
>>  www.inverse.ca 
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
>> ) and PacketFence (http://packetfence.org

Re: [PacketFence-users] 802.1x client authentication without supplying the domain name.

2020-10-30 Thread ypefti--- via PacketFence-users

Hi Peter,

I'm not part of the Packetfence support group but I'm evaluating it for a
similar task.

I think you need to configure two realms, i.e. DEFAULT and NULL with the AD
domain that you need to create under "Active Directory Domains"

It works to me for WiFi authentications

 

Eugene

 

From: Chin, Peter via PacketFence-users
 
Sent: Friday, October 30, 2020 10:46 AM
To: packetfence-users@lists.sourceforge.net
Cc: Chin, Peter 
Subject: [PacketFence-users] 802.1x client authentication without supplying
the domain name.

 

I hope everyone is well. We are currently deploying a test instance of
PacketFence ZEN v10.1. and looking for some advices on how to get 802.1x
radius authentication working without supplying the domain name as part of
the user name. Any advice is greatly appreciated.

 

Thank you,

 

Peter Chin | Sr. Technical Programmer | IT Operations | Community College of
Rhode Island |400 East Ave, Warwick RI, 02886 |  
pc...@ccri.edu | (401) 825.1237

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSCHAP and Local Auth

2020-10-30 Thread Enrique Gross via PacketFence-users

Hi all!

Thanks for your help Fabrice

When changing function to packetfence-local-auth, radius-auth fails to
start, i am not getting so much info of radius.log

Oct 30 18:39:09 pf auth[7031]: Signalled to terminate
Oct 30 18:39:09 pf auth[7031]: Exiting normally
Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading. Done.
Oct 30 18:39:09 pf auth[7031]: rlm_perl: rlm_perl::Detaching. Reloading. Done.

And packetfence.log

Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: Stopping
radiusd-auth with pid 7031 (pf::services::manager::stopService)
Oct 30 18:39:09 pf packetfence: pfperl-api(2390) INFO: child exited with value 0
 (pf::services::manager::stopService)
Oct 30 18:39:14 pf packetfence: pfperl-api(2394) INFO: Daemon
radiusd-auth took 2.123 seconds to start.
(pf::services::manager::launchService)

Thanks!


El jue., 29 oct. 2020 a las 21:57, Durand fabrice
() escribió:
>
> Hello Enrique,
>
> sorry for the late reply.
>
> So ppp mschap with local pf account is not really implemented.
>
> What you can try is to edit /usr/local/pf/raddb/policy.d/packetfence and find 
> the following function:
>
> packetfence-mschap-authenticate {
> if(PacketFence-Domain) {
>   if ( "%{User-Name}" =~ /^host\/.*/) {
> chrooted_mschap_machine
>   }
>   else {
> chrooted_mschap
>   }
> }
> else {
>   if ( "%{User-Name}" =~ /^host\/.*/) {
> mschap_machine
>   }
>   else {
> mschap
>   }
> }
> }
>
>
> and replace it with:
>
> packetfence-mschap-authenticate {
> if(PacketFence-Domain) {
>   if ( "%{User-Name}" =~ /^host\/.*/) {
> chrooted_mschap_machine
>   }
>   else {
> chrooted_mschap
>   }
> }
> else {
>   if ( "%{User-Name}" =~ /^host\/.*/) {
> mschap_machine
>   }
>   else {
> packetfence-local-auth
>   }
> }
> }
>
> Then restart radius and retry.
>
> Let me know if it works.
>
> Regards
>
> Fabrice
>
>
> Le 20-10-26 à 12 h 15, Enrique Gross a écrit :
>
> Thanks Fabrice
>
> raddebug output:
>
> (727) Mon Oct 26 15:54:22 2020: Debug: Received Access-Request Id 132 from 
> X.X.X.X:55645 to X.X.X.X:1812 length 191
> (727) Mon Oct 26 15:54:22 2020: Debug:   Service-Type = Framed-User
> (727) Mon Oct 26 15:54:22 2020: Debug:   Framed-Protocol = PPP
> (727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port = 39
> (727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Port-Type = Virtual
> (727) Mon Oct 26 15:54:22 2020: Debug:   User-Name = "coyo"
> (727) Mon Oct 26 15:54:22 2020: Debug:   Calling-Station-Id = "X.X.X.X"
> (727) Mon Oct 26 15:54:22 2020: Debug:   Called-Station-Id = "X.X.X.X"
> (727) Mon Oct 26 15:54:22 2020: Debug:   Acct-Session-Id = "81d00cdf"
> (727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP-Challenge = 
> 0xebf6d832753d4fdf8383548a74da2637
> (727) Mon Oct 26 15:54:22 2020: Debug:   MS-CHAP2-Response = 
> 0x0100abb873a94cda9a306246c4fef05e7a90b44e09097c106ee6479636c7545e3fdd9b27a86cdbfa77a5
> (727) Mon Oct 26 15:54:22 2020: Debug:   NAS-Identifier = "MK-IBERA2"
> (727) Mon Oct 26 15:54:22 2020: Debug:   NAS-IP-Address = X.X.X.X
> (727) Mon Oct 26 15:54:22 2020: Debug: # Executing section authorize from 
> file /usr/local/pf/raddb/sites-enabled/packetfence
> (727) Mon Oct 26 15:54:22 2020: Debug:   authorize {
> (727) Mon Oct 26 15:54:22 2020: Debug: policy packetfence-nas-ip-address {
> (727) Mon Oct 26 15:54:22 2020: Debug:   if (!NAS-IP-Address || 
> NAS-IP-Address == "0.0.0.0"){
> (727) Mon Oct 26 15:54:22 2020: Debug:   if (!NAS-IP-Address || 
> NAS-IP-Address == "0.0.0.0") -> FALSE
> (727) Mon Oct 26 15:54:22 2020: Debug: } # policy 
> packetfence-nas-ip-address = notfound
> (727) Mon Oct 26 15:54:22 2020: Debug: update {
> (727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %{Packet-Src-IP-Address}
> (727) Mon Oct 26 15:54:22 2020: Debug:  --> X.X.X.X
> (727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %{Packet-Dst-IP-Address}
> (727) Mon Oct 26 15:54:22 2020: Debug:  --> X.X.X.X
> (727) Mon Oct 26 15:54:22 2020: Debug:   EXPAND %l
> (727) Mon Oct 26 15:54:22 2020: Debug:  --> 1603738462
> (727) Mon Oct 26 15:54:22 2020: Debug: } # update = noop
> (727) Mon Oct 26 15:54:22 2020: Debug: policy 
> packetfence-set-realm-if-machine {
> (727) Mon Oct 26 15:54:22 2020: Debug:   if (User-Name =~ 
> /host\/([a-z0-9_-]*)[\.](.*)/i) {
> (727) Mon Oct 26 15:54:22 2020: Debug:   if (User-Name =~ 
> /host\/([a-z0-9_-]*)[\.](.*)/i)  -> FALSE
> (727) Mon Oct 26 15:54:22 2020: Debug: } # policy 
> packetfence-set-realm-if-machine = noop
> (727) Mon Oct 26 15:54:22 2020: Debug: policy 
> packetfence-balanced-key-policy {
> (727) Mon Oct 26 15:54:22 2020: Debug:   if ( && 
> ( =~ /^(.*)(.)$/i)) {
> (727) Mon Oct 26 15:54:22 2020: Debug:   if ( && 
> ( =~ /^(.*)(.)$/i))  -> FALSE
> (727) Mon Oct 26 15:54:22 2020: Debug:   else {
> (727) Mon Oct 26 15:54:22

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread ypefti--- via PacketFence-users

Actually it was your hint about device registration that clicked and made me 
check my connection profile. 

Still, it ALWAYS helps to ask questions and read answers and advices very 
carefully 

 

Ludovic, please guide me through the connection profile creation for public 
WiFi with captive portal for guests.

Just high level and mostly hints, like what modules are involved.

I did everything as advised here on Unifi side

 

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_ubiquiti_2

 

But there are gaps in understanding of what to do on PacketFence side

1.  I created/cloned the external authentication source for SMS based 
registration and included only Canadian cellular operators
2.  I’m reusing the same switch group that includes Unifi APs, under “Role 
by VLAN ID” I put a VLAN ID 20 to guest, but I suspect this is wrong

 

As far as I understand it, I need to create a condition for PacketFence to help 
it differentiate if the authentication comes via WebAuth and not 
Wireless-802.11-EAP. Is this where the connection profile comes into place ? 

 

Eugene

 

 

From: Ludovic Zammit  
Sent: Friday, October 30, 2020 11:11 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment

 

The logs don’t lie ;-)

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 









On Oct 30, 2020, at 2:00 PM, mailto:ype...@gmail.com> > 
mailto:ype...@gmail.com> > wrote:

 

That’s what I missed, namely the connection profile for devices registration 
wasn’t enabled.

Thank you, Ludovic!

 

From: Ludovic Zammit mailto:lzam...@inverse.ca> > 
Sent: Friday, October 30, 2020 10:24 AM
To: ype...@gmail.com  
Cc: packetfence-users@lists.sourceforge.net 
 
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment

 

If you node has: status = registered and a role, PacketFence would return the 
VLAN for the role from the switch (inherited configuration from switch groups 
or not).

 

Do an authentication and send the logs.packetfence.log.

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu  ) 
and PacketFence (http://packetfence.org  ) 

 











On Oct 30, 2020, at 1:14 PM, mailto:ype...@gmail.com> > 
mailto:ype...@gmail.com> > wrote:

 

Hi Ludovic,

Thanks for looking into it.

My search through packetfence.log didn’t produce any matches for the specific 
MAC address.

Let me paraphrase my question. The group of switches (or rather Wireless AP) 
has a list of roles.

The top is registration with VLAN 2. Then go three more, i.e. isolation, 
macDetection, inline and reject. 

Only then do I have Staff role with VLAN 10. I don’t have a way to change this 
order and my attempt to assign VLAN 10 to registration was reversed after I 
restarted PacketFence services. Essentially RADIUS assigns by default VLAN 2 
which is against my logic and design. I don’t have registration and isolation 
interfaces/VLANs. It is pure dot1x/RADIUS authentication via management 
interface

 

Eugene

 

From: Ludovic Zammit mailto:lzam...@inverse.ca> > 
Sent: Friday, October 30, 2020 4:47 AM
To: packetfence-users@lists.sourceforge.net 
 
Cc: ype...@gmail.com  
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment

 

Hello Eugene,

 

The answer is in your logs.

 

grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu  ) 
and PacketFence (http://packetfence.org  ) 

 













On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Folks, 

Can someone help me identify what I’m missing.

My authentication session goes through but the endpoint that connects to WAP 
(Unifi) never gets an IP address.

I investigated it and see that RADIUS assigns the wrong VLAN to the connection.

This is what I see in the live session log

 

Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted user: 
it.tech   and returned VLAN 2

 

But my authentication source has a rule with an action to set the Role Staff 
which is defined with a specific VLAN 10

VLAN 2 on the contrary is assigned to a registration role which I’m

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread ypefti--- via PacketFence-users

Hi Ludovic,

Thanks for looking into it.

My search through packetfence.log didn’t produce any matches for the specific 
MAC address.

Let me paraphrase my question. The group of switches (or rather Wireless AP) 
has a list of roles.

The top is registration with VLAN 2. Then go three more, i.e. isolation, 
macDetection, inline and reject. 

Only then do I have Staff role with VLAN 10. I don’t have a way to change this 
order and my attempt to assign VLAN 10 to registration was reversed after I 
restarted PacketFence services. Essentially RADIUS assigns by default VLAN 2 
which is against my logic and design. I don’t have registration and isolation 
interfaces/VLANs. It is pure dot1x/RADIUS authentication via management 
interface

 

Eugene

 

From: Ludovic Zammit  
Sent: Friday, October 30, 2020 4:47 AM
To: packetfence-users@lists.sourceforge.net
Cc: ype...@gmail.com
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment

 

Hello Eugene,

 

The answer is in your logs.

 

grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 









On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Folks, 

Can someone help me identify what I’m missing.

My authentication session goes through but the endpoint that connects to WAP 
(Unifi) never gets an IP address.

I investigated it and see that RADIUS assigns the wrong VLAN to the connection.

This is what I see in the live session log

 

Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted user: 
it.tech   and returned VLAN 2

 

But my authentication source has a rule with an action to set the Role Staff 
which is defined with a specific VLAN 10

VLAN 2 on the contrary is assigned to a registration role which I’m not using 
at the moment.

My short term goal is dot1x WiFi authentication with RADIUS assigned VLAN.

 

Eugene

 

___
PacketFence-users mailing list
  
PacketFence-users@lists.sourceforge.net
  
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

2020-10-30 Thread Sonali Gulia via PacketFence-users

hi Durand fabrice

here is the result of raddebug -f /usr/local/pf/var/run/radiusd.sock -t
3000

(10522) Fri Oct 30 21:32:00 2020: Debug: Received Status-Server Id 97 from
127.0.0.1:51783 to 127.0.0.1:18121 length 50
(10522) Fri Oct 30 21:32:00 2020: Debug:   Message-Authenticator =
0x595be7422b20bffc2fd6282691eb1b4e
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Statistics-Type = 15
(10522) Fri Oct 30 21:32:00 2020: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/status
(10522) Fri Oct 30 21:32:00 2020: Debug:   Autz-Type Status-Server {
(10522) Fri Oct 30 21:32:00 2020: Debug: [ok] = ok
(10522) Fri Oct 30 21:32:00 2020: Debug:   } # Autz-Type Status-Server = ok
(10522) Fri Oct 30 21:32:00 2020: Debug: Sent Access-Accept Id 97 from
127.0.0.1:18121 to 127.0.0.1:51783 length 0
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Access-Requests
= 10523
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Access-Accepts
= 0
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Access-Rejects
= 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Auth-Responses
= 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: Finished request
(10522) Fri Oct 30 21:32:05 2020: Debug: Cleaning up request packet ID 97
with timestamp +157883
(10523) Fri Oct 30 21:32:15 2020: Debug: Received Status-Server Id 71 from
127.0.0.1:43289 to 127.0.0.1:18121 length 50
(10523) Fri Oct 30 21:32:15 2020: Debug:   Message-Authenticator =
0x2e1611a2cb839f02f01df0ab302f9062
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Statistics-Type = 15
(10523) Fri Oct 30 21:32:15 2020: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/status
(10523) Fri Oct 30 21:32:15 2020: Debug:   Autz-Type Status-Server {
(10523) Fri Oct 30 21:32:15 2020: Debug: [ok] = ok
(10523) Fri Oct 30 21:32:15 2020: Debug:   } # Autz-Type Status-Server = ok
(10523) Fri Oct 30 21:32:15 2020: Debug: Sent Access-Accept Id 71 from
127.0.0.1:18121 to 127.0.0.1:43289 length 0
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Access-Requests
= 10524
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Access-Accepts
= 0
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Access-Rejects
= 0
(10523) Fri Oct 30 21:32:15 2020: Debug:
FreeRADIUS-Total-Access-Challenges = 0
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Auth-Responses

Re: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

2020-10-30 Thread ypefti--- via PacketFence-users

Also, regarding the same subject, what logs on PacketFence would I need to
start looking into if captive portal doesn't work at all.
I followed the documentation and added "Portal" as an additional daemon to
the management interface and restarted required services.
How would I link SMS based registration from external authentication sources
to a captive portal ?

Eugene

-Original Message-
From: E.P.  
Sent: Friday, October 30, 2020 8:35 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'Sina Owolabi' 
Subject: RE: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication
Needed

Hello,
I looked through archive of the emails on the topic in the subject and found
that this question has never been answered. Is there any reference or at
least high level instruction how to do it ?

Eugene

-Original Message-
From: Sina Owolabi via PacketFence-users

Sent: Saturday, August 24, 2019 1:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Sina Owolabi 
Subject: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

Hi!

Im looking for advice on wifi hotspot design where the captive portal
collects user registration data (which could change over time).

The hotspot captive portal needs to generate an OTP SMS and accept it for
authentication to allow internet access.
I was reading the docs and I saw packetfence uses Clickatell as an 'SMS
Authentication Source', but I didnt fully understand the configuration
description.

Can Packetfence work in this situation, perhaps as in a CentOS 7 KVM guest?
Can I get advice on if this would work?
I'm not averse to consulting on this if necessary and I dont mind a bit of
work getting it all to function.

Thanks!

-- 

cordially yours,

Sina Owolabi

+2348176469061


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

2020-10-30 Thread Sonali Gulia via PacketFence-users

hi  Durand fabrice

 here is the result of  raddebug -f /usr/local/pf/var/run/radiusd.sock -t
3000



(10522) Fri Oct 30 21:32:00 2020: Debug: Received Status-Server Id 97 from
127.0.0.1:51783 to 127.0.0.1:18121 length 50
(10522) Fri Oct 30 21:32:00 2020: Debug:   Message-Authenticator =
0x595be7422b20bffc2fd6282691eb1b4e
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Statistics-Type = 15
(10522) Fri Oct 30 21:32:00 2020: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/status
(10522) Fri Oct 30 21:32:00 2020: Debug:   Autz-Type Status-Server {
(10522) Fri Oct 30 21:32:00 2020: Debug: [ok] = ok
(10522) Fri Oct 30 21:32:00 2020: Debug:   } # Autz-Type Status-Server = ok
(10522) Fri Oct 30 21:32:00 2020: Debug: Sent Access-Accept Id 97 from
127.0.0.1:18121 to 127.0.0.1:51783 length 0
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Access-Requests
= 10523
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Access-Accepts
= 0
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Access-Rejects
= 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:   FreeRADIUS-Total-Auth-Responses
= 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Acct-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug:
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: Finished request
(10522) Fri Oct 30 21:32:05 2020: Debug: Cleaning up request packet ID 97
with timestamp +157883
(10523) Fri Oct 30 21:32:15 2020: Debug: Received Status-Server Id 71 from
127.0.0.1:43289 to 127.0.0.1:18121 length 50
(10523) Fri Oct 30 21:32:15 2020: Debug:   Message-Authenticator =
0x2e1611a2cb839f02f01df0ab302f9062
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Statistics-Type = 15
(10523) Fri Oct 30 21:32:15 2020: Debug: # Executing group from file
/usr/local/pf/raddb/sites-enabled/status
(10523) Fri Oct 30 21:32:15 2020: Debug:   Autz-Type Status-Server {
(10523) Fri Oct 30 21:32:15 2020: Debug: [ok] = ok
(10523) Fri Oct 30 21:32:15 2020: Debug:   } # Autz-Type Status-Server = ok
(10523) Fri Oct 30 21:32:15 2020: Debug: Sent Access-Accept Id 71 from
127.0.0.1:18121 to 127.0.0.1:43289 length 0
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Access-Requests
= 10524
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Access-Accepts
= 0
(10523) Fri Oct 30 21:32:15 2020: Debug:   FreeRADIUS-Total-Access-Rejects
= 0
(10523) Fri Oct 30 21:32:15 2020: Debug:
FreeRADIUS-Total-Access-Challenges = 0
(10523) Fri Oct 30 21:32:15 2020: Debug:

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread ypefti--- via PacketFence-users

That’s what I missed, namely the connection profile for devices registration 
wasn’t enabled.

Thank you, Ludovic!

From: Ludovic Zammit  
Sent: Friday, October 30, 2020 10:24 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment

If you node has: status = registered and a role, PacketFence would return the 
VLAN for the role from the switch (inherited configuration from switch groups 
or not).

Do an authentication and send the logs.packetfence.log.

Thanks,

Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

On Oct 30, 2020, at 1:14 PM, mailto:ype...@gmail.com> > 
mailto:ype...@gmail.com> > wrote:

Hi Ludovic,

Thanks for looking into it.

My search through packetfence.log didn’t produce any matches for the specific 
MAC address.

Let me paraphrase my question. The group of switches (or rather Wireless AP) 
has a list of roles.

The top is registration with VLAN 2. Then go three more, i.e. isolation, 
macDetection, inline and reject. 

Only then do I have Staff role with VLAN 10. I don’t have a way to change this 
order and my attempt to assign VLAN 10 to registration was reversed after I 
restarted PacketFence services. Essentially RADIUS assigns by default VLAN 2 
which is against my logic and design. I don’t have registration and isolation 
interfaces/VLANs. It is pure dot1x/RADIUS authentication via management 
interface

Eugene

From: Ludovic Zammit mailto:lzam...@inverse.ca> > 
Sent: Friday, October 30, 2020 4:47 AM
To: packetfence-users@lists.sourceforge.net 

Cc: ype...@gmail.com  
Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment

Hello Eugene,

The answer is in your logs.

grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log

Thanks,

Ludovic Zammit
lzam...@inverse.ca   ::  +1.514.447.4918 (x145) ::  
www.inverse.ca  
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu  ) 
and PacketFence (http://packetfence.org  ) 

On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

Folks, 

Can someone help me identify what I’m missing.

My authentication session goes through but the endpoint that connects to WAP 
(Unifi) never gets an IP address.

I investigated it and see that RADIUS assigns the wrong VLAN to the connection.

This is what I see in the live session log

Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted user: 
it.tech   and returned VLAN 2

But my authentication source has a rule with an action to set the Role Staff 
which is defined with a specific VLAN 10

VLAN 2 on the contrary is assigned to a registration role which I’m not using 
at the moment.

My short term goal is dot1x WiFi authentication with RADIUS assigned VLAN.

Eugene

___
PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] 802.1x client authentication without supplying the domain name.

2020-10-30 Thread Chin, Peter via PacketFence-users

I hope everyone is well. We are currently deploying a test instance of 
PacketFence ZEN v10.1. and looking for some advices on how to get 802.1x radius 
authentication working without supplying the domain name as part of the user 
name. Any advice is greatly appreciated.

Thank you,

Peter Chin | Sr. Technical Programmer | IT Operations | Community College of 
Rhode Island |400 East Ave, Warwick RI, 02886 | 
pc...@ccri.edu | (401) 825.1237

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

2020-10-30 Thread E.P. via PacketFence-users

Hello,
I looked through archive of the emails on the topic in the subject and found
that this question has never been answered. Is there any reference or at
least high level instruction how to do it ?

Eugene

-Original Message-
From: Sina Owolabi via PacketFence-users
 
Sent: Saturday, August 24, 2019 1:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Sina Owolabi 
Subject: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

Hi!

Im looking for advice on wifi hotspot design where the captive portal
collects user registration data (which could change over time).

The hotspot captive portal needs to generate an OTP SMS and accept it for
authentication to allow internet access.
I was reading the docs and I saw packetfence uses Clickatell as an 'SMS
Authentication Source', but I didnt fully understand the configuration
description.

Can Packetfence work in this situation, perhaps as in a CentOS 7 KVM guest?
Can I get advice on if this would work?
I'm not averse to consulting on this if necessary and I dont mind a bit of
work getting it all to function.

Thanks!

-- 

cordially yours,

Sina Owolabi

+2348176469061


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread Ludovic Zammit via PacketFence-users

The logs don’t lie ;-)

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 30, 2020, at 2:00 PM,   wrote:
> 
> That’s what I missed, namely the connection profile for devices registration 
> wasn’t enabled.
> Thank you, Ludovic!
>  
> From: Ludovic Zammit  
> Sent: Friday, October 30, 2020 10:24 AM
> To: ype...@gmail.com
> Cc: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
>  
> If you node has: status = registered and a role, PacketFence would return the 
> VLAN for the role from the switch (inherited configuration from switch groups 
> or not).
>  
> Do an authentication and send the logs.packetfence.log.
>  
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
>  
> 
> 
> 
> 
>> On Oct 30, 2020, at 1:14 PM, mailto:ype...@gmail.com>> 
>> mailto:ype...@gmail.com>> wrote:
>>  
>> Hi Ludovic,
>> Thanks for looking into it.
>> My search through packetfence.log didn’t produce any matches for the 
>> specific MAC address.
>> Let me paraphrase my question. The group of switches (or rather Wireless AP) 
>> has a list of roles.
>> The top is registration with VLAN 2. Then go three more, i.e. isolation, 
>> macDetection, inline and reject. 
>> Only then do I have Staff role with VLAN 10. I don’t have a way to change 
>> this order and my attempt to assign VLAN 10 to registration was reversed 
>> after I restarted PacketFence services. Essentially RADIUS assigns by 
>> default VLAN 2 which is against my logic and design. I don’t have 
>> registration and isolation interfaces/VLANs. It is pure dot1x/RADIUS 
>> authentication via management interface
>>  
>> Eugene
>>  
>> From: Ludovic Zammit mailto:lzam...@inverse.ca>> 
>> Sent: Friday, October 30, 2020 4:47 AM
>> To: packetfence-users@lists.sourceforge.net 
>> 
>> Cc: ype...@gmail.com 
>> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
>>  
>> Hello Eugene,
>>  
>> The answer is in your logs.
>>  
>> grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
>>  
>> Thanks,
>> 
>> Ludovic Zammit
>> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) :: 
>>  www.inverse.ca 
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
>> ) and PacketFence (http://packetfence.org 
>> ) 
>>  
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users 
>>> >> > wrote:
>>>  
>>> Folks, 
>>> Can someone help me identify what I’m missing.
>>> My authentication session goes through but the endpoint that connects to 
>>> WAP (Unifi) never gets an IP address.
>>> I investigated it and see that RADIUS assigns the wrong VLAN to the 
>>> connection.
>>> This is what I see in the live session log
>>>  
>>> Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted 
>>> user: it.tech  and returned VLAN 2
>>>  
>>> But my authentication source has a rule with an action to set the Role 
>>> Staff which is defined with a specific VLAN 10
>>> VLAN 2 on the contrary is assigned to a registration role which I’m not 
>>> using at the moment.
>>> My short term goal is dot1x WiFi authentication with RADIUS assigned VLAN.
>>>  
>>> Eugene
>>>  
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net 
>>> 
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>>> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread Ludovic Zammit via PacketFence-users

If you node has: status = registered and a role, PacketFence would return the 
VLAN for the role from the switch (inherited configuration from switch groups 
or not).

Do an authentication and send the logs.packetfence.log.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 30, 2020, at 1:14 PM,   wrote:
> 
> Hi Ludovic,
> Thanks for looking into it.
> My search through packetfence.log didn’t produce any matches for the specific 
> MAC address.
> Let me paraphrase my question. The group of switches (or rather Wireless AP) 
> has a list of roles.
> The top is registration with VLAN 2. Then go three more, i.e. isolation, 
> macDetection, inline and reject. 
> Only then do I have Staff role with VLAN 10. I don’t have a way to change 
> this order and my attempt to assign VLAN 10 to registration was reversed 
> after I restarted PacketFence services. Essentially RADIUS assigns by default 
> VLAN 2 which is against my logic and design. I don’t have registration and 
> isolation interfaces/VLANs. It is pure dot1x/RADIUS authentication via 
> management interface
>  
> Eugene
>  
> From: Ludovic Zammit  
> Sent: Friday, October 30, 2020 4:47 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: ype...@gmail.com
> Subject: Re: [PacketFence-users] Issues with roles and VLAN assignment
>  
> Hello Eugene,
>  
> The answer is in your logs.
>  
> grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log
>  
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
>  
> 
> 
> 
> 
>> On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users 
>> > > wrote:
>>  
>> Folks, 
>> Can someone help me identify what I’m missing.
>> My authentication session goes through but the endpoint that connects to WAP 
>> (Unifi) never gets an IP address.
>> I investigated it and see that RADIUS assigns the wrong VLAN to the 
>> connection.
>> This is what I see in the live session log
>>  
>> Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted 
>> user: it.tech  and returned VLAN 2
>>  
>> But my authentication source has a rule with an action to set the Role Staff 
>> which is defined with a specific VLAN 10
>> VLAN 2 on the contrary is assigned to a registration role which I’m not 
>> using at the moment.
>> My short term goal is dot1x WiFi authentication with RADIUS assigned VLAN.
>>  
>> Eugene
>>  
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

2020-10-30 Thread Fabrice Durand via PacketFence-users


At least when you try to connect ...


Le 20-10-30 à 06 h 37, Sonali Gulia a écrit :

hi Durand fabrice

here is the result of raddebug -f /usr/local/pf/var/run/radiusd.sock 
-t 3000


(10522) Fri Oct 30 21:32:00 2020: Debug: Received Status-Server Id 97 
from 127.0.0.1:51783  to 127.0.0.1:18121 
 length 50
(10522) Fri Oct 30 21:32:00 2020: Debug: Message-Authenticator = 
0x595be7422b20bffc2fd6282691eb1b4e

(10522) Fri Oct 30 21:32:00 2020: Debug: FreeRADIUS-Statistics-Type = 15
(10522) Fri Oct 30 21:32:00 2020: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/status

(10522) Fri Oct 30 21:32:00 2020: Debug:   Autz-Type Status-Server {
(10522) Fri Oct 30 21:32:00 2020: Debug:     [ok] = ok
(10522) Fri Oct 30 21:32:00 2020: Debug:   } # Autz-Type Status-Server 
= ok
(10522) Fri Oct 30 21:32:00 2020: Debug: Sent Access-Accept Id 97 from 
127.0.0.1:18121  to 127.0.0.1:51783 
 length 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Requests = 10523
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Accepts = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Rejects = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Acct-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Accepts = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Rejects = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Access-Challenges = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
(10522) Fri Oct 30 21:32:00 2020: Debug: 
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0

(10522) Fri Oct 30 21:32:00 2020: Debug: Finished request
(10522) Fri Oct 30 21:32:05 2020: Debug: Cleaning up request packet ID 
97 with timestamp +157883
(10523) Fri Oct 30 21:32:15 2020: Debug: Received Status-Server Id 71 
from 127.0.0.1:43289  to 127.0.0.1:18121 
 length 50
(10523) Fri Oct 30 21:32:15 2020: Debug: Message-Authenticator = 
0x2e1611a2cb839f02f01df0ab302f9062

(10523) Fri Oct 30 21:32:15 2020: Debug: FreeRADIUS-Statistics-Type = 15
(10523) Fri Oct 30 21:32:15 2020: Debug: # Executing group from file 
/usr/local/pf/raddb/sites-enabled/status

(10523) Fri Oct 30 21:32:15 2020: Debug:   Autz-Type Status-Server {
(10523) Fri Oct 30 21:32:15 2020: Debug:     [ok] = ok
(10523) Fri Oct 30 21:32:15 2020: Debug:   } # Autz-Type Status-Server 
= ok
(10523) Fri Oct 30 21:32:15 2020: Debug: Sent Access-Accept Id 71 from 
127.0.0.1:18121  to 127.0.0.1:43289 
 length 0
(10523) Fri Oct 30 21:32:15 2020: Debug:

Re: [PacketFence-users] Issues with roles and VLAN assignment

2020-10-30 Thread Ludovic Zammit via PacketFence-users

Hello Eugene,

The answer is in your logs.

grep MAC_ADDRESS /usr/local/pf/logs/packetfence.log

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 29, 2020, at 3:15 PM, ypefti--- via PacketFence-users 
>  wrote:
> 
> Folks, 
> Can someone help me identify what I’m missing.
> My authentication session goes through but the endpoint that connects to WAP 
> (Unifi) never gets an IP address.
> I investigated it and see that RADIUS assigns the wrong VLAN to the 
> connection.
> This is what I see in the live session log
>  
> Oct 29 12:04:29 packetfence auth[1201]: [mac:18:81:0e:7c:3c:ed] Accepted 
> user: it.tech  and returned VLAN 2
>  
> But my authentication source has a rule with an action to set the Role Staff 
> which is defined with a specific VLAN 10
> VLAN 2 on the contrary is assigned to a registration role which I’m not using 
> at the moment.
> My short term goal is dot1x WiFi authentication with RADIUS assigned VLAN.
>  
> Eugene
>  
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSCHAP and Local Auth

Re: [PacketFence-users] MSCHAP and Local Auth

Re: [PacketFence-users] MSCHAP and Local Auth

Re: [PacketFence-users] PacketFence certificate issues

[PacketFence-users] PacketFence certificate issues

Re: [PacketFence-users] Issues with roles and VLAN assignment

Re: [PacketFence-users] 802.1x client authentication without supplying the domain name.

Re: [PacketFence-users] MSCHAP and Local Auth

Re: [PacketFence-users] Issues with roles and VLAN assignment

Re: [PacketFence-users] Issues with roles and VLAN assignment

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

Re: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

Re: [PacketFence-users] Issues with roles and VLAN assignment

[PacketFence-users] 802.1x client authentication without supplying the domain name.

Re: [PacketFence-users] Wifi Hotspot with SMS OTP Authentication Needed

Re: [PacketFence-users] Issues with roles and VLAN assignment

Re: [PacketFence-users] Issues with roles and VLAN assignment

Re: [PacketFence-users] 10.2.0 Eap gtc sub module failed

Re: [PacketFence-users] Issues with roles and VLAN assignment

20 matches

Site Navigation

Mail list logo

Footer information